Supply Chain Cyber Attack

Unsecurity Podcast

Episode 119 of the UNSECURITY podcast is jam-packed with a number of current events topics Evan and Brad have been following. The discussion includes a super useful and free “Legal Guide to Privacy and Data Security” written by a friend, a novel supply chain cyber attack of some big tech players, and more on the water facility attack from last week and what that might mean for our national infrastructure as a whole. Give this episode a listen or watch, and as always, send us your questions, comments, and feedback to

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Hey there. Thank you for tuning in to this episode of the unsecurity podcast. This is episode 119. The date is february 17th 2021. And I’m your host Evan Francen. Joining me is my good friend as pretty much always. I mean, I think we’ve been together for the last God knows how many podcasts, but he’s Brad.

[00:00:46] Brad Nigh: Good morning Evan.

[00:00:48] Evan Francen: How’s it going today?

[00:00:49] Brad Nigh: Good, good disease.

[00:00:52] Evan Francen: Yeah. Right. Yeah. I was up until, I don’t know what time last night and whatever. I’m not gonna complain. It were security people and we often work long hours.

[00:01:04] Brad Nigh: Yeah, it does. It does eventually, you know, kind of catch up to you and you have to reset.

[00:01:11] Evan Francen: But right. Yeah. Yeah. I was going to have to say some jokes, but they’re inappropriate and I’m not sure if we’re in cancel culture or not. So I’m not going to say stuff. I want to offend anybody. But the, Okay, episode 1, 19, uh, things to talk about today, things that I wanted to talk about today. There’s uh, serving unusual itself. Um, naked security, you know, had published uh, an article and actually did a podcast on it too. But how one man, silently infiltrated dozens of high tech network works. And I thought the attack vector was pretty Malval because it’s, you know, I guess I didn’t think about it that way. Um, but it was very effective. Right? It didn’t require him to crack any passwords, often require him to really, you know, do much, you know, to break in. It’s just sort of a back door that I think a lot of people don’t realize is there. Yeah, so a little scary because you know that yeah, the way we develop software today, it’s not like everything is developed in house. We’re pulling libraries from all over the damn place. And anyway, that’s uh that’s pretty scary.

[00:02:33] Brad Nigh: There’s a lot of implied trust there

[00:02:37] Evan Francen: totally, man. And I, yeah, we’ve got, we’re going to have to do something about it because it’s, it’s another sort of attack factor. That’s not all that. I mean, it’s different than what we saw with solar winds and the whole that whole debacle. But there’s some similarities between the attack factors and um yeah, now it’s been published, so if any of the Attackers hadn’t been thinking this way, well, it’s right there in front of, you know, Yeah, I want to talk about that. I wanted to talk about my a good friend Michael Cohen from GPM, he’s a lawyer. Uh he just released a new uh, it’s called the legal guide to private data. The legal guide to privacy and data security. The reason why I wanted to announce that. I said, I think it’s a great reference. It’s completely free. Uh the legal landscape of for information security and privacy in the United States is all over the map. And uh I think it’s a good free reference, you know, written by a guy who knows what he’s talking about.

[00:03:47] Brad Nigh: Yeah, yeah. He’s uh like talking to him.

[00:03:50] Evan Francen: Yeah. Right. He’s got that dry sense of humor too. All right. I sort of get it.

[00:03:56] Brad Nigh: That was probably one of the few times I think I’ve ever said that about a lawyer.

[00:04:00] Evan Francen: Right? Yeah, we can do all kinds of lawyer jokes. He’s probably got some good bladder jokes to maybe we’ll have him on as a guest sometime. Uh so I figured we talk about that. And then just before we started the show, we were talking about uh you know, it’s not old old news, but you know, things move really fast around here. But the, you know, the old mar water attack, we can talk about that again briefly before we roll into some news stuff. So I think that’s the that’s the agenda. But before we dive in too deep. How you doing? How’s how’s uh how’s things

[00:04:38] Brad Nigh: good? Yeah, yeah, Oldest turned 15 on Monday and got her learner’s permit. That’s terrifying.

[00:04:46] Evan Francen: You know, I’m looking at your beard right now. I don’t see any grey hairs in there, man.

[00:04:49] Brad Nigh: Well there, over on the side,

[00:04:51] Evan Francen: okay. If you look at mine, they’re like

[00:04:55] Brad Nigh: all over

[00:04:56] Evan Francen: right on from

[00:04:57] Brad Nigh: now. The kid driving so I’m sure it’ll turn great pretty quickly. But yeah, it’s fun. She’s so excited about it so kind of something nice and right uplifting positive and the crap that has been the last year. Yeah.

[00:05:17] Evan Francen: Uh Yeah I got back, well you know I was got back from part of my aorta. Mhm. Last week I came back to this 2020 plus 10 below zero. Are you kidding me?

[00:05:31] Brad Nigh: I think we went from like thursday until yesterday where we didn’t get above zero. Uh huh I don’t know if it’s frozen or farm frozen.

[00:05:51] Evan Francen: Yeah it’s my VPN man, I’m always on VPN so sometimes VPN kind of gets chunky for me

[00:06:00] Brad Nigh: okay. Yeah it froze up there was like oh

[00:06:03] Evan Francen: like it turned my VPN off. I am on my home, my own home network but I’m a security guy.

[00:06:11] Brad Nigh: Yeah. Anyway, so I missed you so you got home and I said it hadn’t been above zero since from thursday until yesterday and then your friends up so I didn’t hear what you said.

[00:06:22] Evan Francen: Oh it’s just the whole country is frozen.

[00:06:26] Brad Nigh: Yeah, so I know we’ve been talking to talking with Oscar and like they’ve gotten a cat inch of ice down there and you see the stories about texas where those buildings aren’t built and insulated for single digits and pipes bursting and the electricity being out, You know you’re seeing pictures and apartments in the houses that are like 30° inside and it’s not like appear where you’ve got snow gear and you know, you’re used to these things, but it’s been, it’s crazy

[00:07:07] Evan Francen: when I got friends down in texas and they’re all without power. Yeah.

[00:07:12] Brad Nigh: Mhm Yeah, and who knows when it’s gonna come back.

[00:07:16] Evan Francen: Right. And that, you know, we take that stuff, I don’t know, I sort of take that stuff for granted sometimes, you know, you get up in the morning and you turn on the light, you know, you’ve got a nice warm shower, you got heat in the house, you know, it’s just we take those that stuff for grant. I can’t imagine going through 20 some odd below here in Minnesota without hunger,

[00:07:38] Brad Nigh: you know, that would be, I don’t think, I don’t know how you could

[00:07:43] Evan Francen: Right, do you have a generator?

[00:07:45] Brad Nigh: I don’t, we actually looked very hard at when we have to have our roof replaced due to hail damage at doing solar roof. Mhm. Right. It was just, it was too much at the time.

[00:07:58] Evan Francen: What do you what do you do with a solar roof in the winter in Minnesota when there’s snow and stuff that will it Okay.

[00:08:08] Brad Nigh: Yeah, because you get is a slide off that’s at an angle. Okay. And it’s, you know, so, but yeah, we are houses the back of the house is facing and based on the googles solar project, it would cover 99% of our electricity use,

[00:08:29] Evan Francen: you know, my mother lives in Ohio and she’s got, you know, she bought a farm down there after retirement and yes, she uses solar power and actually sells a good amount of power back to the power company. Yeah, yeah. So she actually gets negative power I guess. Yeah,

[00:08:55] Brad Nigh: his credit.

[00:08:56] Evan Francen: Yeah. And they, we hear, you know, I’ve got a gas, I’ve got a couple of actually a couple of, You know, gas generators. Um my house was built in 1872, so you just never know what’s going on around here. Uh the power has been very stable, so I’ve only had to use them, you know, a couple of times, but we thought about getting a natural gas, you know, generator, those are really nice. You’ve seen those?

[00:09:23] Brad Nigh: No.

[00:09:25] Evan Francen: Yeah, basically they, it’s a big generator, it’s usually a whole house generator and it hooks up to your natural gas and some of them are built with, with automatic transfer switches. So when power goes out it will just automatically kick on and they’re pretty quiet, you know, so you have to go out there and start it or anything interesting. Yeah, I think Home Depot has some lows has them. Uh you can find them online. I thought about that. Yeah,

[00:09:56] Brad Nigh: yeah, natural gas, uh might not be a bad idea.

[00:10:00] Evan Francen: Yeah. You know, there’s sort of expensive, but you know, when you need them, you don’t really think about the expense.

[00:10:07] Brad Nigh: Right, right. Yeah, Yeah that’s very true luckily you know not going to live with that very little power issues up in Minnesota period. So.

[00:10:21] Evan Francen: Well it’s funny how the power grid sort of works here because you live what maybe 10 less than 10 miles from me and your power might be really stable because you also live in a newer neighborhood. I live in a downtown small town where it’s an old neighbourhood, older infrastructure. It’s not uncommon. I would say once a year, maybe twice a year we’ll lose power here. Hm. Um And I’ve run my generators before I actually borrowed or lent one of my generators to a friend and then the generator I had running in my garage and I ran there were extension cords going to three other houses because they didn’t have generators.

[00:11:03] Brad Nigh: That’s funny.

[00:11:04] Evan Francen: Yeah. So I was running you know my neighborhood to the back was running his refrigerator. The neighbor over here, I was running his uh his freezer, you know he’s got one of those chest freezers, he didn’t want to lose all his meat and everything and then I had you know my own, it was funny

[00:11:22] Brad Nigh: that is Oh you know now if it if if power goes out in the winter and it’s gonna be out for an extended period you just put your stuff out in the garage. Like I think our garage yesterday was like 15°.

[00:11:35] Evan Francen: Yeah. Yeah man. I mean it’s it’s not how fast to the that cold? Just sort of sneaks up on you when you go outside. You know, at first like it’s not so cold and then next thing you know, you can’t your fingers are stinging and your face is falling off.

[00:11:52] Brad Nigh: Oh just you know at the bus stop, we wait in the car till the bus comes around the corner. Then I get out and help kindergarten get his backpack and stuff because he’s got all the snow gear, walk to the bus like we’re at the intersection right? So I walked to the busing wait for it to leave because every all the parents have to wait because your kids get upset if you don’t. And my moustache is like frozen solid. It’s got icicles just from breathing, it’s so cold.

[00:12:23] Evan Francen: Yeah. You have a friend of mine who’s down in Austin he ted was texting me, you know, he showed me the temperature and he’s like, you know, I don’t expect any sympathy but you know, I’m like, well actually I’ll give you sympathy man, I don’t I feel bad about Oh, you know, just because it gets down to 23:30 below zero here doesn’t mean I don’t feel bad for somebody who’s mm and in other parts of the country man,

[00:12:51] Brad Nigh: they’re not gonna typically going to have the right gear to get through that because it’s not normal, why would you get heavy gear and still pants and boots and all that stuff if this happens what once a decade?

[00:13:09] Evan Francen: Right. Right.

[00:13:11] Brad Nigh: Even if it’s once a year, it’s probably not worth it.

[00:13:15] Evan Francen: Yeah. Very true. Very, very true. All right. Let’s go to uh this article this, you know from naked Security. The guy’s name is uh person, I can’t remember his last name. Person, Alex Burson. So Alex person did a paper, wanted to do a research study and what he wanted to do was uh you know, there are bug bounties everywhere. So he didn’t he didn’t break any laws or anything. He followed the rules and in that he he capitalized on the fact that many of our software programs are not all container contained, you know, to a single development shop. Right. You call libraries and things that other people have written because it makes your code more efficient. Uh Some of these libraries, I mean they do functions that it would take you years to develop. Right,

[00:14:16] Brad Nigh: Well, why we reinvent the wheel with some of this stuff? Because I think he said at this these things can take a long time.

[00:14:24] Evan Francen: Yeah. So, you know, I mean to take like uh you know, in the article, you know, 11 example is, you know, decrypt that dll, you know, which is for encryption obviously uh it’s simple to call that function, you know, be crypt. GN random and encrypt whatever it is you want to encrypt versus right. The entire I guess library to perform all that, all those functions. Um Mhm. So that’s the good thing is it makes our code much more efficient. And the bad thing is we’re pulling libraries and trusting a bunch of different people, you know, some open source many, many times outside of our own organization. We’re trusting their development, they’re testing their security when we’re pulling in those things in their own somewhere and nobody’s really immune to this. I mean, security studio is a software development shop where they’re doing all kinds of things. They didn’t write every single line of code. Right. I mean, you just you almost can’t nowadays, you know, it become so dependent upon re using code across organizations. Also understanding that ah you know, he went down the path of trying to figure out what, because you know, take Microsoft, for instance, Microsoft will have their, you know, they do keep things somewhat containerized so they may write a piece of code and then start internally. Um and then just call that code internally. Right. Right. Yeah. Now, if you can figure out the name of the library that’s being called, you could potentially uh create a new library outside of that. So yeah. Well

[00:16:27] Brad Nigh: even then like they have a good example there of uh you know, face neck Well that you’re you’re dependent on you use it. So you’re depending on that. But then you look and just at a high level there’s like 15 libraries that face that depends on because it stacks. Right? So, you know, cases depending on in the example chinese whispers. Chinese whispers needs Js network acts, which they needs uh will run time which needs regenerator on time, you know? So it it just stacks and yeah, it makes your life a lot easier. But it’s not it’s complex behind the scenes.

[00:17:07] Evan Francen: Super complex because you know, you go down through the layers, it’s like following the branch of a tree, the branches out and branches out and branches out. So yeah, facing it calls, you know, at types slash N N D R A or N N D array art parse blessed, blessed. Con Trib bro, log canvas, chinese whispers, chinese whispers. Then calls, Js networks came enough shuffle num Js, Js networks that will run time. Low dash on and on and on. And so one little call might actually be, you know, you think it’s just one call to one library but actually it might be A call. 200 different libraries. 1000 different libraries. I mean the rabbit hole can go really, really deep. What

[00:18:00] Brad Nigh: do we say about complexity?

[00:18:02] Evan Francen: Oh my God. Right. It gets super complex. And so security. Right. And we call those dependencies. Right? I mean one piece of code is dependent upon another piece of coach dependent on another piece of code and on and on and on. And so we have, you know, understanding that this gets really complex. So we need to automate the updated because that’s another thing. Right? You need to patch every line of code beyond I would say hello world. Mm probably has an error in it somewhere. Right. Or a vulnerability that may be the developer didn’t realize at the time. Technology has changed. I mean there’s just a ton of different reasons and why you need to keep your code up to date. Yeah. So recognizing that that’s a big issue. You know, we we have things like pipe, I write for python, ruby gems for ruby and PM for no Js these are package management tools that essentially figure out or try to manage the dependency complexity and go and get all of these updates automatically so your coat. So you don’t have to keep track of what I need to update this and look at that. Look at this, all that stuff sort of through the chain ends up kind of getting updated automatically for you huge convenience. Plus I think it’s a good security thing. But what happens, you know, if um, you can Essentially trick one of these package management tools, the update code with your code versus the code I was supposed to be updating with. Yeah. And so in that, uh, it’s sort of what bursts um, um, took advantage of or you know, sort of pointed out that this is an issue. So big vendors, you know, and what’s mentioned in the articles Apple Microsoft. Tesla, Uber. Yelp many many others, they have their dependencies, but some of those dependencies are also internal. Right, right. So we can have dependencies where we’re calling some sort of, you know, shared public sort of library, uh some open source thing. We’ve also got internal dependencies.

[00:20:18] Brad Nigh: Yeah, Which makes sense because you’re, you know, every organization would be different, has different needs. You build your custom code that calls the public libraries, you’re not rewriting everything.

[00:20:30] Evan Francen: Yeah, yeah. And some of that code you want to keep proprietary, some of that code you invested a lot of time in. So maybe your some of your libraries are internal. Mhm. We want to keep them uh you know, internal. So, um organizations who keep those things internal. What he was curious about is if he could collect a list or find a list of unique package names from these big players and and then change or essentially create the same package that are not the same package, not the same code, but the same package name, essentially would one of these package management tools automatically update with his code versus the internal

[00:21:20] Brad Nigh: based on name

[00:21:22] Evan Francen: based on name, yep. And so, you know, he went about that now finding the unique package of unique package names of some of the cook uh you know, the big players, you can oftentimes you find that in the code itself. Right,

[00:21:39] Brad Nigh: which isn’t, you know, it’s that’s necessarily secret right there, publishing out to make a website work. Well then it’s public.

[00:21:49] Evan Francen: Right? Right. So then taking those internal names, putting them into open package, open source package repositories um with the same names and then publishing those and then basically sitting back and watching and seeing what calls home, he didn’t insert any malicious code malware was

[00:22:14] Brad Nigh: just that call home functionality. That verification.

[00:22:17] Evan Francen: Right. Right. And you know, essentially waited and many dozens of them ended up uh going home, you know, so probably surprising maybe, I mean, I can just imagine when he’s sitting there like yeah, they’re calling home, so that’s a big issue, Right? If we can trick essentially trick software trick an application to use my library instead of the one that you intended it to use.

[00:22:53] Brad Nigh: Right. Yeah. It’s like you have full remote code execution at that point,

[00:23:01] Evan Francen: but yeah, when he wants to stop you. Yeah.

[00:23:05] Brad Nigh: Uh huh.

[00:23:07] Evan Francen: So that the sort of the scary thing about this is this has been this way for a long time.

[00:23:15] Brad Nigh: Mhm. Yeah, I wonder how many attacks we’re gonna learn about now that people are going back and going that’s what happened.

[00:23:23] Evan Francen: Right, Yes, I did, yeah. So there’s some good, you know, tips on how if you are a software development shop on how you can uh you know, kind of avoid this attack, I think now these not unless the things is going to guarantee it,

[00:23:43] Brad Nigh: you know, it just as a kind of an insight but on the on the same lines, the web server that had uh the malicious activity it was due to IT DLL or basically the library That was like three years old Or it had a known execution, remote code execution vulnerability that was patched in 2019 and it was from 2016. So, you know, you gotta have Yeah, sure. The web server itself, the OS and you know, the web server software was updated but the those packages that they were using for, you know, functionality, they didn’t think to update that. Right. So basically the same kind of thing

[00:24:36] Evan Francen: it is man, how many times have we seen? I mean, I’ve seen it, I can remember at least half dozen times when the maintainer of open source code essentially, you know, wants to retire. Right. And so another maintainer comes in or somebody else, you know, ends up, you know, sort of maintaining the code, didn’t we have a like a major card wasn’t it? Major card, Yeah, it was a malicious person who took

[00:25:05] Brad Nigh: over

[00:25:05] Evan Francen: maintenance of the code and major card was in, you know, thousands and thousands of installations.

[00:25:12] Brad Nigh: Yeah. Well what’s crazy on this one? It was it was paid software like it was, you know, commercial software that didn’t get updated. Right. You know, I can see where you’re going though like yeah, the maintainer stops, maybe nobody takes over and now it doesn’t get updated but it’s so you got so many dependencies or other libraries have to depend on it that you can’t just stop using it.

[00:25:42] Evan Francen: Right. Right. So from a software development perspective, I mean you really need to be cognizant of these attack vectors. Right? And account for them in your own software development as a consumer, you’re basically powerless.

[00:26:02] Brad Nigh: Oh yeah. I mean this is mm literally one of the few times where there is nothing you can do.

[00:26:11] Evan Francen: Right? I don’t know. Yeah, because you wouldn’t know if this is normal behavior right? Or abnormal behavior because you don’t know the internal workings of the code and it’s not like you’re going to, you know, take it d compile it, try to figure out all these things, figure out all the dependencies, track that back and go down the path of who calls what and what may forget about it. Right?

[00:26:38] Brad Nigh: Yeah. It’s it’s crazy.

[00:26:42] Evan Francen: Yeah. It’s a huge mess, man. And I’m thankful that that he, you know, went down this path and took this approach because it opens up a whole pandora’s box of issues that we’re going to have to we’re gonna have to account for a deal is somehow. Yeah,

[00:27:03] Brad Nigh: yeah. And you know, he has a good article at the end of from Microsoft, I haven’t read it yet, but the three ways to mitigate risk using private package feeds. So I’ve downloaded that I’m gonna be reading that later for fun because that’s what we do. But yeah, I thought this was a really well written article and had some really good recommendations at the end.

[00:27:27] Evan Francen: Right. Right. For sure. And for people who want to reference it or go read it themselves, the name of the article is how one man silently infiltrated dozens of high tech networks. It’s on the naked security blog by so foes a really good read. The author does a great job of walking you through how this becomes a big, I mean how this is such a big issue and it’s a kind of that Pandora’s box. I also like how you know there were But six tips on what you can do, you know from a development perspective. So the first one to separate your developers from live public repositories don’t allow external package updates in your development network until they’ve been downloaded and vetted by your security team. So it’s basically correct. Ain’t containing creating a container where you’re not just gonna allow these automatic external package updates, you’re going to get them first, make sure the legitimate and then allow them into your repository.

[00:28:36] Brad Nigh: Yeah. And if you read the actual article that’s reference, there is a lot more technical information in it. It’s on medium but that was really cool. It’s crazy how some of these people like find these things and I know our guys have done it to with you can’t mention some of the stuff because you know but like yeah it just blows my mind. Like I was I saw it and like I probably have never thought of that.

[00:29:05] Evan Francen: Well, that’s why, you know, in that another thought process, you know? Uh no matter how good you think you are, how you know, technical, technically brilliant you are. Mhm. It’s so important to have different perspectives. Different people look at problems from a different way. I’m much more of a break down your front door kind of guy. You know, I mean occasionally if it’s too hard to break through your, you know, your door, maybe look for something around the other side. Whereas other people think like I’m already looking around the other side. I don’t give a crap about the front door. And it’s just a different way of thinking. It’s a different perspective. And people like verse on people like you, you know, people like, you know, Oscar and his team, that’s why it fascinates me. Because it’s like you looked at this problem from a totally different angle. Mhm. And exposed something. Made it, you know, made our solution a lot more valuable.

[00:30:06] Brad Nigh: Yeah. Oh yeah. The the more diversity and experience, we’ve said it many times, it’s going to make the team and make you better.

[00:30:15] Evan Francen: Yeah. And I look at it from I’m much more about logic person to, you know, logic kind of reason kind of person thinking critically take race out of it, take everything else out of it, take gender out of it. What’s important just functionally is the diversity of thought. Now somebody who grows up in a different race, a different race than me has a different perspective on things. That’s why they’re so valuable. I mean, all these different perspectives, right? Raise gender, sexual preference, whatever you’re thinking different than I am. And rather than like that’s bad, it’s like no, bring that stuff. We want that. Okay.

[00:31:01] Brad Nigh: Yeah. It you know. Uh Yeah, so good people that, you know, and we see it all the time. And that’s probably part of the problem with our industry is that they know everything aren’t willing to listen to others.

[00:31:19] Evan Francen: I think those are the people that are the easiest to attack.

[00:31:24] Brad Nigh: Mhm. Yeah.

[00:31:27] Evan Francen: Because you’re so you’re so myopic and close minded and focused on this one thing while, you know, everybody’s taking stuff out the back door,

[00:31:35] Brad Nigh: Right? Exactly. Yeah. You’re so focused on making sure the front door is locked and secure that you forgot the garage is wide open. Yeah.

[00:31:44] Evan Francen: All right. Uh So other things, you know, just real quick. I’ll go through the list in the article. Be prepared to rewrite your modules uh and keep dependencies under control. Uh Really vet every single dependency that you use in your code and and follow the rabbit hole, right? You need it’s your responsibility, your responsibility to do that, not your consumers responsibility to do that. Mhm. Soviet it all the way through. And if you can’t or you too lazy or don’t want to well then don’t use it. Yeah, you gotta know your code works man. And the code that you’re borrowing from other people, you got to know how that works,

[00:32:27] Brad Nigh: yep. Yeah. Well yeah, can’t just assume

[00:32:33] Evan Francen: no another tip review all package update tools and stop them accessing public repositories unless they are supposed to specify and verify dependencies that are in there allowed versions as strictly as you can uh don’t let code review become a simple checkbox. Oh my God, could check box security ticks me

[00:32:55] Brad Nigh: off. Yeah,

[00:32:59] Evan Francen: yeah, the check boxes are meant to use that meant to be used at a higher level. Right, Did you complete this task? And this task might be, you know, a static code review, you know, given these all these requirements. So it’s not like the minimum I do you know, it’s just the check box, it’s like no, it’s a reminder sort of thing. Not a right, you know, Yeah,

[00:33:25] Brad Nigh: agreed.

[00:33:27] Evan Francen: The last one is verified external package updates by watching for unexpected file system changes on a test system first before releasing into production, that just seems reasonable. Mhm. Uh So and really the onus is on development man, this is not something consumers can or should do

[00:33:48] Brad Nigh: and I can tell you, you know, we’ve had multiple engagements with companies that do you know there’s software development companies are internal deV teams with our pen testers about sclc and you talk to them And it’s like,

[00:34:05] Evan Francen: mm, Okay. Yeah. But if you can develop software, uh, responsibly don’t develop software,

[00:34:17] Brad Nigh: Right? And I will give credit to this company. They realized and identified a vulnerability or weakness and took steps to correct it. Which I mean that’s really all you can ask for. Yeah.

[00:34:33] Evan Francen: Yeah. Well, and one of the things we’re working on and I haven’t really mentioned it too much because it’s not exactly ready is uh, me and some friends are putting the other a think tank sort of thing. And in that is, and it’s it’s not like you’ll have to see that eventually we’ll put it on the show, you know, and you and I’ll talk about it. But it’s a it’s very much focused on fixing real issues in our industry, as a collective, as a collaboration, keeping money out of it, keeping ego out of it, keeping all this crap out of it. And so the core values of this are very strict, right? It’s not data for you to make more money. We’re not going to accept sponsorships. You know, it’s just, it’s very clear, but one of those problems, you know, as a seed problem that I want to, that I’m suggesting that the group work on because you’ll become a member too. I’m guessing you would certainly be invited to become a member? It’s up to you or whether you want to? Um, but one of those issues is how do we hold ourselves accountable? So how do we hold a software development organization accountable for crappy code that leads to significant losses for their consumers or death. Mhm. Because until you start holding software development shops and start holding Microsoft and adobe, whoever accountable for their code, you’re going to keep having this problem, it’s gonna get worse. Yeah,

[00:36:08] Brad Nigh: well, it’s not just a a simple problem either, because how much of this is open source. And how do you do you hold a volunteer that’s not making any money, That’s just doing it, you know, Do you hold them accountable because they made a mistake versus that company that’s counting on it and didn’t right, do their proper vetting. It’s like, yeah, that’s a complex.

[00:36:36] Evan Francen: Well, these tech companies are making billions and billions and billions of dollars. You can’t tell me that you can’t slow down a little bit, invest a little more time and effort in ensuring your code is top notch quality, right? Including follow following all these dependencies to put it on the consumer who can’t afford that and couldn’t do it anyway.

[00:36:59] Brad Nigh: Yeah, my sorry, my dog is an idiot. He’s out on the deck, rolling around in the snow. It’s like what negative two out.

[00:37:07] Evan Francen: My dog’s an idiot too. I love my dog so much. But yeah,

[00:37:12] Brad Nigh: sorry, totally distracted me. That that’s right outside the office. Um

[00:37:17] Evan Francen: Yeah, but what we agreed. Yeah, stay tuned for uh for that man, I’m excited to put that together and excited to be a part of that. Uh The other thing that I wanted to mention was so Michael Cohen, who is an attorney at Lathrop GPM. Really good guy. I enjoy every time I get to visit with him, they just published a free guide that’s called a Legal guide to privacy and data security. Its current its data 2021. It’s a long read, but it’s a reference guide. It’s 220 pages long. I doubt most people would read it cover to cover, but he does a fantastic job of breaking down all the confusion.

[00:38:08] Brad Nigh: I don’t think I would guess he didn’t intend it to be read cover to cover. It is really a reference. Hey, I have a question about this, I’m gonna go look at that.

[00:38:19] Evan Francen: Yeah, for sure.

[00:38:20] Brad Nigh: But yeah, it’s just really, really comprehensive.

[00:38:23] Evan Francen: Yeah, I did read, you know, some of it uh well, and one of the things, one of the questions that, you know, I debated with some friends and I think maybe even you was, you know, the right to privacy.

[00:38:39] Brad Nigh: Yeah, we talked about that.

[00:38:41] Evan Francen: Yeah. So on page one, essentially, actually the 15th page and the guide, he’s got, you know, the legal basis for a right to privacy and I thought, wow, that’s that’s a good read. And so he highlights, you know, constitutionally, there is no explicit reference to privacy as a write in the United States Constitution. But the Supreme Court of the United States has however, held in several cases that there exists a right to privacy or at least a reasonable expectation of privacy As implied in the 1st, 3rd, 4th, 9th and 14th amendments. And so I started reading, man, I’m like, okay, okay, that’s great that that we’re not doing any of that crap. Mhm. It’s as a country, as an industry, the Supreme Court of the United States has held that these things are true, but that’s not how we’re operating. Yeah. Yes.

[00:39:49] Brad Nigh: Yeah. It’s a uh it is a really interesting, you know, discussion. And you know, the fact that Yeah, he listened to that. There’s 10 states that have right to privacy explicit in their constant state constitutions. Mm hmm. It’s not good.

[00:40:11] Evan Francen: Well, and they’re all and and and and their languages all different to right. And then what about the other 40 states? And it’s not like you containerized all of your information in one state. Right.

[00:40:24] Brad Nigh: Well, I think that’s why you’re looking at some of these big companies saying, hey, let’s get a federal privacy law. It’s not because they’re doing it out of goodwill. It’s Complying with 50 individual states is a nightmare.

[00:40:38] Evan Francen: Yeah. Yes. Yes. So if you’re in security and uh and you’re not a lawyer. But even if you are a lawyer. It’s it’s just a great reference guy. Uh you know, I’ve got it downloaded to my computer already and started reviewing it and it’s uh it’s going to be handy in a lot of different. Oh

[00:41:01] Brad Nigh: yeah. Yeah, I get asked these privacy questions all the time and it’s always I’m not, a lawyer does not constitute legal advice if you want here go talk to a lawyer, but you can look it up and give an opinion. It’s like, hey this is how I read it, but that doesn’t right. You need to talk to a lawyer.

[00:41:23] Evan Francen: Well, I don’t mind at all quoting lawyers. I mean this is if I quote right out of this guide, makes me sound smart. That’s for sure.

[00:41:33] Brad Nigh: Right. And you did a good job of putting it in a way that you can use to. It’s not just quoting. Yeah. The lots.

[00:41:45] Evan Francen: Yeah. Very good. Yeah. Yeah. It’s probably one of the best reference guides that I’ve seen and it’s free. Mhm. Yeah. He’s got a broken down, you know, legal basis for the right to privacy is kind of the opening and then talks about federal laws governing data privacy and security. He’s got HIPPA copa can span E. C. P. A. G. L. B. A. T. C. P. A. F. F. C. R. A. In fact the F. A. A. Some having heard it before.

[00:42:16] Brad Nigh: Yeah. The junk fact provincial facts prevention act. I’ve never heard of that.

[00:42:21] Evan Francen: I never either. He had junk facts prevention act. J. F. P. A. Yeah, I never heard of it either. Yeah. And then he talks about things. Got a section dedicated to privacy and employment, the employment relationship, which is pretty being cool. They breaks down all the state data privacy and security laws, you know, starting with Minnesota because that’s his home state. That’s uh it was actually this was a collaboration effort between the state of Minnesota and him to make this guide free and then breaks down all the other states. Yes, it’s pretty cool stuff. And then he does talk a little bit about Canada in other countries, but this is really um domestic.

[00:43:11] Brad Nigh: I definitely read through the Minnesota one just just because it’s where we live. So it’s good to know.

[00:43:19] Evan Francen: Yeah. Yeah. He uh he emailed this to me yesterday and I was like, oh dang because the last one I liked to, but he made this is really, really is a lot better even than this last month.

[00:43:33] Brad Nigh: Yes. It’s really impressive.

[00:43:35] Evan Francen: Yeah. And the guy’s name again, Michael Cohen, if you need a, I don’t know if he needs business. I doubt it because he’s probably swamped. But he works at Lathrop GPM, which is also really good law firm. So there you go. Yeah. All right. That stuff is that’s not a cluster enough for you on a Wednesday morning. How about some news? Yeah. Oh boy. Oh boy. So here’s uh here’s one the first one I’ve got. It’s a hot for security from bit defender, uh their blog and Graham Cluley is the, I think the author of this article, the title is after hackers blackmailed their clients finish therapy firm declares bankruptcy. Remember this attack?

[00:44:22] Brad Nigh: Oh yeah.

[00:44:23] Evan Francen: No. Yeah. Well there bankrupt now. Yeah. Has surprised.

[00:44:30] Brad Nigh: And to just see the how they got in blogging was root Root.

[00:44:37] Evan Francen: It’s insane man. The basics, isn’t it? Always the basics? Yeah. Yeah. So it’s hard to excuse yourself for that. And also the fact that you know the ceo billy Tapio I believe it’s really it’s B. I. L. L. E. Um tweet. They knew about it for a while, tried to kind of cover it up. And it wasn’t until the Attackers started going after the clients that it’s like okay we have to sort of spill the beans here. And so I wonder if I know it would be nice on things like this to hold an executive criminally responsible because it’s criminal behavior.

[00:45:25] Brad Nigh: Yeah. I know I didn’t see anything specific to him other than that he was fired.

[00:45:35] Evan Francen: Yeah. I mean

[00:45:36] Brad Nigh: he was responsible for setting up the database apparently. So.

[00:45:40] Evan Francen: So he’s saying so the Ceo sets up the database, the data basic attacked and then he tries to hide it. No. Yeah. I don’t have your seat set up databases in most cases,

[00:45:54] Brad Nigh: not that no offense to ceos looking at,

[00:45:59] Evan Francen: you know I’m not saying. But

[00:46:02] Brad Nigh: even if you had done that in the past, it’s not what you’ve done in a really long time

[00:46:09] Evan Francen: no wine. Even if I was super skilled in setting up databases as a ceo I’ve got 1000 different things to do.

[00:46:16] Brad Nigh: Right? That’s not your job.

[00:46:18] Evan Francen: How much attention can I actually give to it? How much attention to detail? You know, I’m going to get that thing set up because it works as a work. Okay, go through and try to secure it, harden it, okay. I got something else to do and then you forget where you left off. Yeah. No, let the specialists do that stuff. The only databases I stood up is maybe in test, you know, monkey around with suffering but

[00:46:41] Brad Nigh: more for like Yeah,

[00:46:44] Evan Francen: yeah. So 40,000 patients were affected by the breach at the end of the day there it’s and in the name of the organization was fast um Oh, a psychotherapy practice. Right. So really significant data to go on blackmail the clients with. So sorry, not sorry that you’re declaring bankruptcy because you probably shouldn’t have been in business to begin with.

[00:47:13] Brad Nigh: Yeah, the downside is the people aspect of 400 employees. Yeah. Any of those were completely unaware or had no input into any of this and now they’re out of a job.

[00:47:27] Evan Francen: Exactly, yeah, hopefully they’ll land land on their feet and hopefully in the Ceo maybe lands in jail because yeah, you’re right, look at that, you do that crappy behavior. You put 40,000 people At risk and the 400 employees that you lied. That depend on you to make good decisions. Any you got to pay a price for that pen. Yeah. Great. Those are real lives. Those are real people that suffer. Alright. The next one we can keep sort of short. It’s one silicon angle and I just thought it was interesting because I haven’t heard much you know publicly from Microsoft ceo brad or president brad smith, he labels the solar winds hack is the largest most sophisticated attack ever.

[00:48:23] Brad Nigh: Yeah. I mean He said that they figure it’s well over a 1000 engineers that worked on the attack. That’s I mean a significant amount of manpower.

[00:48:38] Evan Francen: I’m telling you brother this is and people don’t, at what point do you just call come out and just state that this is an act of war.

[00:48:50] Brad Nigh: Yeah. Well I mean it’s been attributed to the Russians but that’s as far as it’s gone.

[00:48:56] Evan Francen: When we talked about last week how the chinese although they didn’t come through the same door. They were there to. Yeah. And I when will people really realize that the chinese are not and the Russians are not our friends. Right? And I’m not saying a chinese person right? Who immigrates to the United States? That’s different. The s they’re chinese I’m talking about the chinese government. I’m talking about the Russian government

[00:49:25] Brad Nigh: right? The leadership

[00:49:27] Evan Francen: not our friends.

[00:49:28] Brad Nigh: No. And I think that’s a good distinction too because I think a lot of times people do say, you know, chinese arrogant, nothing. I mean you’ve got good and bad people everywhere. So look at the government, the leadership pacs, that’s where the issue is.

[00:49:44] Evan Francen: Exactly. So most significant attack ever. That doesn’t come as any surprise to you and me and many of the people in in information security. The thing I liked about it was that this was this came from an interview on 60 minutes that ran I think it was last sunday night or the sunday. Yeah, last sunday night.

[00:50:05] Brad Nigh: Get ran on down Wednesday.

[00:50:08] Evan Francen: Yeah. So you know, hopefully the public wakes up because the only way you’re going to get real change at this level is a governmental change. And the only way that that’s going to happen is if you get the legislators to start taking this more seriously crafting real bills and laws that actually work. The only way that’s ever going to happen is that the citizens actually become educated and demand a change. So you know, I’m I’m grateful that this was a CBS news thing. It wasn’t some, you know, security blog, right? None of the normal people read.

[00:50:48] Brad Nigh: Yeah, I’ll have to watch that and see you.

[00:50:51] Evan Francen: Yeah, well that’s what I’ve got is uh, you know from the hacker news and yeah, I’m tired of Microsoft patches, but you know, you got to do them. We issued patches. Microsoft issued patches for in the wild zero day attacks. Our vulnerabilities, I guess attacks exploits vulnerabilities in 55 other Windows bugs. I don’t know if you’ve noticed, but certainly on my own systems, I’ve noticed I’ve had to patch a lot more and I’ve had to reboot a lot more months now. The fact that the other things he’ll going on in the world, including solar winds and an increase in patching of not just Microsoft, but other things Apple. Uh, there is a relation. You never know the exact correlation, but it’s not coincidence. Right? So Patrick Window systems and it’s a pain in the butt for everybody when you have to reboot and you got 500 windows open. It’s like son of a gun. I can’t remember what I had open wear. Remember when Microsoft promised us that they, we weren’t ever going to have to reboot again on our patch.

[00:52:05] Brad Nigh: No, I probably just ignored it as like, Yeah, right.

[00:52:10] Evan Francen: Yeah. They promised it was sometime around two Windows 2000 I think, you know, people were migrating off of NT and No, and whatever it was a while ago. But I remember because we were planning about when, you know, when we were more sys admin e was, I’m tired of rebooting all the damn time is so disruptive to the business.

[00:52:33] Brad Nigh: Yeah, I’m tired of having to work on the weekends or overnight to patch

[00:52:37] Evan Francen: right. And uh, yeah, I think a lot of times we were using like HF net check for patching, remember HF net check?

[00:52:45] Brad Nigh: No, I never used that.

[00:52:46] Evan Francen: Okay, that was a command line tool that uh HF net check and I think it was shoveling. Hm.

[00:52:54] Brad Nigh: Look at that.

[00:52:55] Evan Francen: Yeah. But you know we get so Microsoft, you know, came out in public and I’m gonna find a reference to where they said it but uh publicly, I think yeah, they said we’re going to build new versions of windows that will not require you to reboot when you patch.

[00:53:16] Brad Nigh: That’s funny. I don’t remember that at all.

[00:53:20] Evan Francen: I have to find that. So here we are in 2021, I’m still having to reboot all the time, which is so disruptive because I do have a bunch of stuff open, I might have four or five spreadsheets open uh 5, 6 different word. And then the fact that you’ve got all this authentication with cloud services that’s so tightly inter interweave with all of this, that it’s not uncommon for me to use words and then I can’t get the stupid air message saying you can’t update or can’t save too. My one drive because of just give me a break.

[00:54:02] Brad Nigh: I have used the W. S. U. Uh w says offline, I use that for years anytime that there’s a new server before we got on the network. You have that USB plug in and run all the updates because immediately vulnerable and you don’t want to touching the internet. Right.

[00:54:29] Evan Francen: But I would suggest, you know, for people that are responsible for, you know, technical aspects of security and organizations to go read what the actual patches are. So we do obviously patch patch, patch, patch, keep software updated. That’s we’ve been beating that drum for a long time. But I wonder how many security folks actually take the time to go and read what the vulnerabilities were that we’re patching against. Uh But it’s always a good interesting

[00:54:59] Brad Nigh: read. Yeah.

[00:55:02] Evan Francen: Right. That’s that. Uh Yeah, I think that’s our news brad That this is it for episode 1 19. Does that what I said when I started this thing? Okay. Mhm. Hey, and we are going to get back to writing show notes. You know you and I were talking about before we will start posting show notes again. We’re not going to post the kind of the verbatim sort of dialogue. Show notes. We’re just going to post the things that we’re going to talk about on on the podcast. Yeah, so brad. Thank you. Thank you to our listeners. Uh Any shadows.

[00:55:37] Brad Nigh: Yeah, I’ll give matt Dowd and tom Freidel shut out for their hacked our hack dot E. D. U. It’s our internal kind of training for they did a uh thing on juicy potato. So token manipulation last week. Thanks Really, Really, really well.

[00:55:56] Evan Francen: Cool. Yeah. I’ll see what the technical services team to. I’ll give a shout out to uh mike Thompson pinky, I’ll give a shout out to eric, I always give shoutouts to Oscar so I’m not giving him one anymore. I mean not today. He always gets shut out. But those guys did a great job. I thought on hacker box on friday,

[00:56:17] Brad Nigh: I wasn’t able to listen. I’m optimistic that a meeting so bummed.

[00:56:22] Evan Francen: I think it’s recorded two. Yeah, it’s not a chance, but those, I love the way those guys were late and when I watched them, not only are they like super, super skilled, they’re just normal guys. You know, I mean there’s so much suffering. I love it. Right, That was fun. So, shout out to those guys. All right, thank you for our listeners. Send us things by email at un security at proton mail dot com. I am actually going to go check that email today. So it’s been a while. My apologies. It’s on my list. Uh if you’re the social type, you can certainly socialize with us on twitter. I’m Evan uh, @EvanFrancen. So my name and brad’s @BradNigh, isn’t it? Uh if you wanna follow things going on with our companies, uh @FRSecure is always putting out some good content. Uh like things like hackle box things like uh you know, webinars and things that they’re doing. They’re usually or they’re always very educational and I think they do the one with uh what was the one they were going to do with

[00:57:33] Brad Nigh: huntress, but

[00:57:33] Evan Francen: they don’t get enough. And then we’ve got one,

[00:57:37] Brad Nigh: I don’t know when that one is, but we’ve got one at that one with arctic wolf here in a couple weeks.

[00:57:42] Evan Francen: Okay, cool. Very cool. So tune in to uh you know, follow up are secure on twitter to check up on that stuff and then uh security studio, we’re @StudioSecurity. That’s it. So good to have a good day. We’ll talk to you next week.